<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008GhRL1SANOkta Classic EngineAdministrationAnswered2024-03-25T13:08:42.000Z2018-08-24T04:05:29.000Z2019-01-07T01:57:38.000Z

xawd7 (xawd7) asked a question.

August 24, 2018 at 4:05 AM
Network zones and proxy ip vs gateway ip

Just wanted to clarify how the proxy ip address works for a network zone?

 

https://help.okta.com/en/prod/Content/Topics/Security/Security_Network.htm?Highlight=network%20zone

 

A request is within an IP Zone if the public IP of the address falls within range of the configured gateway IP addresses. If the request is via a proxy, configure the IP address as a proxy IP. Okta will trust the proxy IP address and attempt to match the client IP with the configured gateway IP addresses.

 

Is this using the X-Forwarded-For header or similar to match for client IP -> gateway IP? IE if gateway is IP1 and proxy is IP2, then create a network zone with IP2 in the proxy ip addresses and IP1 in the gateway IP addresses, and Okta will obtain the gateway IP from the 'X-Forwarded-For' header?

  • 4 answers
  • 6.85K views

  • mike.davie1.5312945692819849E12 (Customer First Programs)

    Hello Bernie,

     

    Thanks for posting your inquiry in Okta Community Portal.

     

    If you receive a great answer to your question(s), please help readers find it by marking it the best answer. Hover over the answer and click "Best Answer." 

     

    Thank you,

    Mike Davie

    Okta Help Center

    Expand Post

  • xawd7 (xawd7)

    So just to clarify Mihai, from that document it sounds as though as long as the gateway is defined as a network zone then the capability to extract the Client IP from the X-Forwarded-For header will work?

     

    As an example, if my public gateway IP is 110.80.X.X and my request goes through a proxy with a public IP of 45.250.X.X. Then if I have defined a network zone with Gateway IP as 110.80.X.X and Proxy IP as 45.250.X.X, then Okta will be able to determine the client IP of 110.80.X.X from the X-Forwarded-For header?

    Expand Post

  • xawd7 (xawd7)

    Appears that the developer docs explains this behaviour, thanks Mihai.

     

    The public IP address of your application will be automatically used as the client IP address for your request. Okta supports the standard X-Forwarded-For HTTP header to forward the originating client’s IP address if your application is behind a proxy server or acting as a login portal or gateway.

     

    Gateway needs to be defined as a IP network in order for the header to be used as well.

     

    Expand Post
This question is closed.
Loading
Network zones and proxy ip vs gateway ip